[Pkg-shadow-devel] A historical curiosity in su(1)

Serge E. Hallyn serge at hallyn.com
Mon Apr 3 19:32:08 UTC 2017

Quoting Chris Sinjakli (chris at sinjakli.co.uk):
> Hi folks,
> I'm doing some digging for a talk I'm working on for PGConf US[1].
> The talk is one I've given before[2], and last time I gave it I left an open
> question right near the end. This time, I'd love to be able to answer it!
> The open question revolves around the way su(1) determines the user it is being
> invoked by. Specifically, it does this using a combination of the result of
> getuid and getlogin[3][4].
> If calling getpwnam on the result of getlogin returns a passwd struct, and the
> uid in that struct matches the uid returned by getuid, it returns that passwd
> struct.
> If the getpwnam approach fails for either reason, it falls back to using the
> result of getpwuid on the result of getuid.
> The thing I'm curious about is why it goes to the trouble of trying to use the
> result of getpwnam/getlogin at all. The only time it will return something
> different from getpwuid/getuid is if there are two users with the same uid but
> different information in the rest of their passwd entry.
> Are there cases where you might want to set up a system this way? I've always
> avoided assigning the same uid to multiple users - it seems like a bad idea!


sorry I don't have any historical insights I can give here, but I'm quite
certain I've seen cases where there were >1 usernames sharing a uid.  So
that seems a plausible rationale.

More information about the Pkg-shadow-devel mailing list